this post was submitted on 08 Dec 2024
63 points (88.9% liked)

Privacy

4359 readers
61 users here now

A community for Lemmy users interested in privacy

Rules:

  1. Be civil
  2. No spam posting
  3. Keep posts on-topic
  4. No trolling

founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 3 points 1 week ago (1 children)

I think that's a characterization of what happened but not necessarily a good representation of what actually happened.

Yes, some researchers in Zurich found vulnerabilities. Yes they down played them ... because you still couldn't read anything. They were also already working on a new protocol before those researches wrote their paper and yes I'm sure they made some tweaks based on their findings.

This is their response; I'd hardly call it "insulting" https://threema.ch/en/blog/posts/news-alleged-weaknesses-statement

You could say the same thing about Signal's response to their "desktop security scandal" earlier this year (of which Threema wasn't vulnerable and Signal repeatedly refused to acknowledge as a problem).

yet it still doesn't support critical features like full forward secrecy

They do support PFS (perfect forward secrecy) though their new multi-device solution doesn't yet support it.

https://threema.ch/en/blog/posts/ibex

This is the same protocol they were already working on when the "researches they insulted" released their research finding issues with the old protocol.

Threema is also far more active with third-party audits than any other group: https://threema.ch/en/faq/code_audit

They severely mishandled vulnerabilities by insulting the security researchers, then introduced a new protocol they built with the advice given to them for free from the SAME researchers before that, and yet it still doesn't support critical features like full forward secrecy.

IMO this entire sentence is just wrong.

[–] RayJW 1 points 1 week ago (1 children)

As you said, if PFS can be disabled by enabling a feature on the receiving end it's by security practices not enabled, in the industry that's called a downgrade attack and considered very bad practice.

The blog post you linked, is the publicly revised version after they were called out by well known cryptographers for their handling. This was their original response to the researchers, again after the researchers disclosed the vulnerabilities to them and actively helped designing the new protocol, not just giving inspiration. This was their initial tweet: „There’s a new paper on Threema’s old communication protocol. Apparently, today’s academia forces researchers and even students to hopelessly oversell their findings“ which is long deleted, but I did read it while it was still up back then. I can't find a screenshot or anything at the moment, so if you want to call me a liar, go ahead but if you search for that quote you will find many citations.

Also, they claimed „old protocol“ but Ibex was still months from being deployed widespread, so that's another big downplay.

You mention Signals Desktop app issue, Threema claimed the attacks were unrealistic because they require significant computing power or social engineering, both things that are definitely a risk if you're trying to protect yourself from bigger intelligence efforts. The issue with Signal Desktop however, required full file system access to your device at which point, there is nothing stopping the attacker from simply using a key logger, capturing your screen, etc.

This is why no big security researchers called out Signal but many shunned Threema. At the end I don't have a horse in the race for either of them, but I think those are facts people need when making a decision with their private information.

[–] [email protected] 3 points 1 week ago* (last edited 1 week ago)

As you said, if PFS can be disabled by enabling a feature on the receiving end it's by security practices not enabled, in the industry that's called a downgrade attack and considered very bad practice.

I don't have an iOS device to know for sure but I'm fairly certain they inform you and participants in your chats about the PFS interruptions. It's a temporary problem you have to deal with to use a beta application.

One of their devs was on mastodon talking about how PFS was more complicated with their design than they expected because they need to sync up the devices. Signal took the approach of sending one message to every device and Threema sends it to one of your devices and then that device sends it to the others. From what I understand this makes the PFS session key synchronization harder for Threema so it's not implemented yet.

This was their initial tweet: „There’s a new paper on Threema’s old communication protocol. Apparently, today’s academia forces researchers and even students to hopelessly oversell their findings“

The issue with Signal Desktop however, required full file system access to your device at which point, there is nothing stopping the attacker from simply using a key logger, capturing your screen, etc.

Right but in practical terms many of the findings cited against Threema were equally if not more doubtful. I don't know who the "big security researchers" you're referencing are, but ... as someone in the tech sector myself I do tend to agree that we've gotten to a place of really happenstance exploits being sold as if they're like the old zero days where the user doesn't have to do anything, it works 100% of the time, and the user loses control of their system.

If that quote is real ... I think they were probably just miffed that the researchers didn't discuss the fact that they were already in the later design stages of protocol improvements and made their findings sound far more plausible to exploit than they were.

There's just a double standard here too... Threema gets shit for downplaying an exploit where you literally have to have physical access to the device, but it's totally fine that signal didn't even use basic operating system functionality (the keychain) to protect data at rest -- that's a physical AND digital risk?